To create error handlers for Ory Oathkeeper that will redirect to different web pages based on the error code (401 or 403), you can use the

redirect

error handler and configure it with specific matching conditions under the

when

key. Based on the extracts provided, here's how you can set up your

.oathkeeper.yaml

configuration file to achieve this:

yaml # .oathkeeper.yaml errors:   handlers:     redirect:       enabled: true       config:         when:           - error:               - unauthorized # This corresponds to a 401 error             config:               to: <http://webpageA>           - error:               - forbidden # This corresponds to a 403 error             config:               to: <http://webpageB>

Please note that the error names (

unauthorized

for 401 and

forbidden

for 403) are derived from the well-defined HTTP Status messages, and they should be specified in lowercase with underscores replacing spaces, as mentioned in the extract about error matching ([source](https://www.ory.sh/docs/oathkeeper/pipeline/error#error)). This configuration uses the

redirect

handler's ability to specify different redirection URLs based on the error type encountered. The

when

section allows you to define conditions for when each redirection should occur, based on the error type. In this case, if an

unauthorized

(401) error occurs, the user will be redirected to

<http://webpageA>

, and if a

forbidden

(403) error occurs, the user will be redirected to

<http://webpageB>

. Remember, this is a simplified example based on the information provided in the extracts. Depending on your specific requirements, you might need to adjust the configuration, especially if you're dealing with more complex scenarios or additional error types.

In the context of Ory Oathkeeper's error handlers, the

fallback

configuration specifies which error handler should be used when no specific error handling rule matches the current situation. This is particularly useful when you have multiple error handlers enabled, and you need a default behavior for handling errors that don't meet any specific conditions you've defined. The

fallback

configuration is set in the global Ory Oathkeeper configuration file (

.oathkeeper.yaml

). By default, the

json

error handler is enabled and used as the fallback. However, you can customize this by specifying a different handler or multiple handlers in the order they should be tried. Ory Oathkeeper will use the first matching handler in the list as the fallback. Here's an example configuration that sets the

json

error handler as the fallback, which is the default behavior:

yaml # .oathkeeper.yaml errors:   fallback:     - json

You can also define multiple fallback handlers. In this case, Ory Oathkeeper will try each handler in the order listed until one matches:

yaml # .oathkeeper.yaml errors:   fallback:     - redirect     - json

In this configuration, Ory Oathkeeper would first attempt to use the

redirect

handler as the fallback. If the conditions for the

redirect

handler do not match (for example, if it's not enabled or its specific conditions are not met), then Ory Oathkeeper would fall back to the

json

error handler. This feature ensures that Ory Oathkeeper has a clear path for handling errors, even when specific conditions are not met, providing a robust mechanism for managing error responses in a variety of scenarios. For more details on configuring error handlers and fallbacks in Ory Oathkeeper, refer to the documentation extract provided earlier ([source](https://www.ory.sh/docs/oathkeeper/pipeline/error#fallback)).